Educause Security Discussion mailing list archives
Re: Shodan value
From: Andre DiMino <adimino () GWU EDU>
Date: Mon, 24 Jul 2017 09:25:19 -0400
All good points Nick, and I generally agree. However in our case, we have two /16's across many schools, faculty, staff, and students. Our network's constituencies are constantly changing. Hosts are spun up, taken down, new OSes and applications are deployed and left unpatched. The vulnerabilities revealed on the visible hosts may change hour to hour. It's an ongoing challenge to stay ahead of this network entropy. So when Shodan offers a quick and easy way for potential attackers to highlight our more egregious vulnerabilities, it escalates our existing challenge. I agree that Shodan is a great resource and that there are many very good tools provided. In fact, we have used Shodan Scanhub for private aggregation and correlation of our own scans. Thanks! Andre' On Fri, Jul 21, 2017 at 10:36 AM, Nicholas Garigliano <ngarigl8 () naz edu> wrote:
My thoughts on this subject. Please feel free to point out anything I have wrong or missed or am deluded on...... From an external perspective there are two major threats to consider: 1. Drive by attack based on the results of an automated info gathering process (service scan followed by vulnerability scan) against your IP space. Based on the results, it then attempts to pragmatically leverage known weaknesses that it discovers to gain access. 2. Directed attack against your IP space. The attacker is going after you specifically with the goal of gaining access to your internal network or for performing a DoS on your site/service or presence in general. Blocking Shodan is not really going to gain you much when considering either scenario. While it might make it more difficult, not having access to Shodan information isn't really going to deter any determined attacker. They have the same access to your IP space that Shodan has and it isn't difficult to gather that info. Shodan is just a search engine. Security through obscurity rarely gains you much. There is also the issue of maintaining an IP list for Shodan nodes in your firewall. You can actually use Shodan to your advantage to help you find flaws in your external configuration that you might miss. You can use their API to automate checking on a regular basis. A cool framework to work with along these lines is Recon-ng (https://bitbucket.org/LaNMaSteR53/recon-ng). Definitely worth spending some time with. Thanks, Nick Garigliano Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 <(585)%20389-2109> On Thu, Jul 20, 2017 at 11:53 AM, Andre DiMino <adimino () gwu edu> wrote:We block Shodan as we prefer not to have any vulnerabilities or misconfigured hosts be publicly identified. We perform our own regular external (and internal) scans from pre-identified IP space. Andre' On Thu, Jul 20, 2017 at 10:54 AM, Reyor, William F. <wreyor () fairfield eduwrote:We utilize the DHS NCCIC which provides more visibility then Shodan (full Nessus scan of all public ranges). And block Shodan. Thanks, Bill On Jul 20, 2017, at 10:49 AM, Ford, Bryan <bryan.ford () NDUS EDU<mailto:br yan.ford () NDUS EDU>> wrote: There been some discussion of the value of Shodan and should we block it or leave it open and monitor it. I see the value of it and wanted to know what other are doing with it. Thanks Bryan-- Andre' M. DiMino Principal Security Engineer The George Washington University Desk: (202) 994-6114 Cell: (202) 365-0548 adimino () gwu edu
-- Andre' M. DiMino Principal Security Engineer The George Washington University Desk: (202) 994-6114 Cell: (202) 365-0548 adimino () gwu edu
Current thread:
- Shodan value Ford, Bryan (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Andre DiMino (Jul 20)
- Re: Shodan value Nicholas Garigliano (Jul 21)
- Re: Shodan value Andre DiMino (Jul 24)
- Re: Shodan value Andre DiMino (Jul 20)
- Re: Shodan value Rich Graves (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Valdis Kletnieks (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- <Possible follow-ups>
- Re: Shodan value Cameron Dixon (Jul 27)
- Re: Shodan value Kevin Wilcox (Jul 28)
- Re: Shodan value Ashley Penchion (Jul 28)
- Re: Shodan value Dixon, Cameron (Jul 31)
- Re: Shodan value Valdis Kletnieks (Jul 28)
- Re: Shodan value Kevin Wilcox (Jul 28)